CAMBRIDGE, MASSACHUSETTS — This year, the 47th Munich Security Conference included for the first time a special session on cybersecurity. “This may be the first time,” the president of a small European noted to the high-powered assembly, more accustomed to dealing with armies and alliances than with worms and denial-of-service attacks, “but it will not be the last.”
Until now, the issue of cybersecurity has largely been the domain of computer geeks. When the Internet was created 40 years ago, this small community was like a virtual village of people who knew each other, and they designed a system with little attention to security.
Even the commercial Web is only two decades old, but as British Foreign Secretary William Hague reminded the Munich conference: It has exploded from 16 million users in 1995 to more than 1.7 billion users today.
This burgeoning interdependence has created great opportunities and great vulnerabilities. Security experts wrestling with cyber-issues are at about the same stage in understanding the implications of this new technology as nuclear experts were in the early years after the first nuclear explosions.
The cyber-domain is a volatile manmade environment. As an advisory panel of defense scientists explained, “people built all the pieces,” but “the cyber-universe is complex well beyond anyone’s understanding and exhibits behavior that no one predicted, and sometimes can’t even be explained well.”
Unlike atoms, human adversaries are purposeful and intelligent. Mountains and oceans are hard to move, but portions of cyberspace can be turned on and off at the click of a mouse. It is cheaper and quicker to move electrons across the globe than to move large ships long distances through the friction of salt water. The costs of developing multiple carrier taskforces and submarine fleets create enormous barriers to entry and make it possible to speak of U.S. naval dominance. In contrast, the barriers to entry in the cyber-domain are so low that nonstate actors and small states can play significant roles at low levels of cost.
In my book, “The Future of Power,” I describe diffusion of power away from governments as one of the great power shifts in this century. Cyberspace is a perfect example of the broader trend. The largest powers are unlikely to be able to dominate this domain as much as they have others like sea, air or space.
While they have greater resources, they also have greater vulnerabilities, and at this stage, offense dominates defense in cyberspace. The United States, Russia, Britain, France and China have greater capacity than other state and nonstate actors, but it makes little sense to speak of dominance in cyberspace. If anything, dependence on complex cybersystems for support of military and economic activities creates vulnerabilities in large states that can be exploited.
There is much loose talk about “cyberwar.” But if we restrict the term to cyber-actions that have effects outside cyberspace that amplify or are equivalent to physical violence, we are only just beginning to see glimpses of cyberwar — for instance in the denial-of-service attacks that accompanied the conventional war in Georgia in 2008, or the recent sabotage of Iranian centrifuges by the Stuxnet worm.
If one treats most hacktivism as mostly a nuisance, there are four major categories of cyberthreats to national security, each with a different time horizon and with different (in principle) solutions: 1) cyberwar and 2) economic espionage, both largely associated with states, and 3) cybercrime and 4) cyberterrorism, mostly associated with nonstate actors.
For the United States, at the present time, the highest costs come from the espionage and crime, but over the next decade or so, war and terrorism may become greater threats.
Moreover, as alliances and tactics evolve among different actors, the categories may increasingly overlap. As the former director of National Intelligence, Mike McConnell, said, “Sooner or later, terror groups will achieve cyber-sophistication. It’s like nuclear proliferation, only far easier.”
At this stage, however, according to President Obama’s 2009 cyber-review, theft of intellectual property by other states (and corporations) is the highest immediate cost. Not only does it result in current economic losses, but by destroying competitive advantage, it jeopardizes future hard power.
Security experts are far from certain what terms such as “offense, defense, deterrence, or the laws of war” mean in the cyber-realm. We are only at the early stages of developing a strategy. And public understanding lags even further behind. That is why this year is likely to be just the beginning of many discussions like the one at the Munich security conference.
Joseph S. Nye Jr. is a professor at Harvard and the author, most recently, of “The Future of Power.”